PMKID attack on WPA/WPA2 WiFi networks

Summary

Makers of popular WiFi hacking tool hashcat have discovered a way to improve password brute-forcing of the WPA/WPA2 wifi network security standards. By leveraging the PMKID served by access points in WPA/WPA2 enabled WiFi networks, attackers gain knowledge of a pre-shared key hash, which can be used to brute-force the WPA/WPA2 password.


This, however, requires a set of conditions to work:

o  WPA/WPA2 must be "Personal security (Pre-shared Key)". Other types (eg: Enterprise) are not vulnerable

o The PMKID must be included in the first EAPOL message of the 4 way handshake

o 802.11r and PMKID caching must be enabled

Affected Products

FortiOS supports WPA/WPA2 WiFi and is only affected under special configurations [1] FortiOS supports WPA/WPA2 WiFi and is only affected under special configurations [1] FortiOS supports WPA/WPA2 WiFi and is only affected under special configurations [1] FortiAP supports WPA/WPA2 WiFi and is only affected under special configurations [1] FortiAP supports WPA/WPA2 WiFi and is only affected under special configurations [1] FortiAP supports WPA/WPA2 WiFi and is only affected under special configurations [1] [1] When 802.11r/fast-bss-transition is enabled and security is set to wpa2-only-personal. [1] When 802.11r/fast-bss-transition is enabled and security is set to wpa2-only-personal. [1] When 802.11r/fast-bss-transition is enabled and security is set to wpa2-only-personal.

Solutions

Since this is a protocol level attack facilitating brute-force cracking, there exists mitigation to disable it altogether, or drastically lower its practical feasibility: Since this is a protocol level attack facilitating brute-force cracking, there exists mitigation to disable it altogether, or drastically lower its practical feasibility: Since this is a protocol level attack facilitating brute-force cracking, there exists mitigation to disable it altogether, or drastically lower its practical feasibility: 1. When enabling the 801.11r/fast-bss-transition feature on FortiOS/FortiAP, avoid using wpa2-only-personal security, and use wpa2-only-enterprise instead. This effectively prevents the attack completely. 1. When enabling the 801.11r/fast-bss-transition feature on FortiOS/FortiAP, avoid using wpa2-only-personal security, and use wpa2-only-enterprise instead. This effectively prevents the attack completely. 1. When enabling the 801.11r/fast-bss-transition feature on FortiOS/FortiAP, avoid using wpa2-only-personal security, and use wpa2-only-enterprise instead. This effectively prevents the attack completely. 2. If the above is not acceptable given the environment, a minimum of 12 high-entropy random ASCII characters should be used as the password (with 20 characters being preferable). This renders the attack unpractical in the current state of computing power available for brute-force cracking. 2. If the above is not acceptable given the environment, a minimum of 12 high-entropy random ASCII characters should be used as the password (with 20 characters being preferable). This renders the attack unpractical in the current state of computing power available for brute-force cracking. 2. If the above is not acceptable given the environment, a minimum of 12 high-entropy random ASCII characters should be used as the password (with 20 characters being preferable). This renders the attack unpractical in the current state of computing power available for brute-force cracking. Starting with FortiOS 6.2.1, the following CLI commands (for pre-shared key for WPA/WPA2-Personal SSID) will ask to input at least 12 bytes in length when editing the [vap-name] if the existing passphrase is shorter than 12 bytes: Starting with FortiOS 6.2.1, the following CLI commands (for pre-shared key for WPA/WPA2-Personal SSID) will ask to input at least 12 bytes in length when editing the [vap-name] if the existing passphrase is shorter than 12 bytes: Starting with FortiOS 6.2.1, the following CLI commands (for pre-shared key for WPA/WPA2-Personal SSID) will ask to input at least 12 bytes in length when editing the [vap-name] if the existing passphrase is shorter than 12 bytes: config wireless-controller vap config wireless-controller vap config wireless-controller vap edit [vap-name] edit [vap-name] edit [vap-name] set passphrase [psk] /* minimum 12 bytes psk when wfa-compatibility is disabled [1] */ set passphrase [psk] /* minimum 12 bytes psk when wfa-compatibility is disabled [1] */ set passphrase [psk] /* minimum 12 bytes psk when wfa-compatibility is disabled [1] */ next next next end end end [1] To compatible with WPA3™-SAE Test Plan Version 1.0, a new CLI were introduced at same time to allow minimum 8 bytes pre-shared key which the default value is disabled (enable is not suggested in production environment). [1] To compatible with WPA3™-SAE Test Plan Version 1.0, a new CLI were introduced at same time to allow minimum 8 bytes pre-shared key which the default value is disabled (enable is not suggested in production environment). [1] To compatible with WPA3™-SAE Test Plan Version 1.0, a new CLI were introduced at same time to allow minimum 8 bytes pre-shared key which the default value is disabled (enable is not suggested in production environment). config wireless-controller setting config wireless-controller setting config wireless-controller setting set wfa-compatibility enable /* disable is the default value */ set wfa-compatibility enable /* disable is the default value */ set wfa-compatibility enable /* disable is the default value */ end end end Starting from FortiOS 6.2.3, the minimum psk length reverted back to 8 bytes to restore the usability. The wfa-compatibility CLI command will no longer control that size. Starting from FortiOS 6.2.3, the minimum psk length reverted back to 8 bytes to restore the usability. The wfa-compatibility CLI command will no longer control that size. Starting from FortiOS 6.2.3, the minimum psk length reverted back to 8 bytes to restore the usability. The wfa-compatibility CLI command will no longer control that size. Revision History: Revision History: Revision History: 09-10-2018 Initial version 09-10-2018 Initial version 09-10-2018 Initial version 06-18-2019 pre-shared key length for WPA/WPA2 personal SSID by default needs at least 12 bytes 06-18-2019 pre-shared key length for WPA/WPA2 personal SSID by default needs at least 12 bytes 06-18-2019 pre-shared key length for WPA/WPA2 personal SSID by default needs at least 12 bytes 01-27-2020 Minimum pre-shared key length reverted back to 8 bytes start from FortiOS 6.2.3 01-27-2020 Minimum pre-shared key length reverted back to 8 bytes start from FortiOS 6.2.3 01-27-2020 Minimum pre-shared key length reverted back to 8 bytes start from FortiOS 6.2.3